I am trying to use Java EE security. Following the docs ( [http://docs.oracle.com/cloud/CSJSU/dev_app.htm#BCEHFDFC] ).

The problem is, if a web app has <login-config> in web.xml, then users are not sent to the Cloud login screen when they access the app with its URL. Even if the entry is <login-config/>!
(I did a test with a very small web app. When I leave <login-config/> out of web.xml, then when I access the app URL, I first have to log in (when I Whitelist test it, I get a warning about that tag is missing). When I put <login-config/> in web.xml (the Whitelist warning goes away), but I can access the web app via its URL WITHOUT logging in at all.)

If users haven't logged in, then of course you don't know who they are and what their role is, so you cannot use normal web app security with protected resources.

Thanks. That clears up the public-ness of some web apps. (Not sure why if a web app has NO <login-config> tag at all that the cloud requires a log in, but I'll leave that for more pressing issues below.)

I am still having trouble with my web app with protected resources, though. I have defined users and the "boss" role and assigned some users to the "boss" role by using the Identity Console. But the problem is that users are NOT required to log in when they access the web app! Since they don't log in, of course the role-based security does not work, since we don't know WHO they are when they request a protected resource.

Hello,
Sorry for the delayed response ,
Let me answer your first question "(Not sure why if a web app has NO <login-config> tag at all that the cloud requires a log in "
The reason behind this is as Oracle Public Cloud is a "Enterprise" Cloud offering we have secured by default security posture.
This is to protect our customers so they don't expose applications to "public" internet unintentionally.
Explicit requirement of login-config element addition enforces this security constrain.

Regarding your web.xml and the weblogic.xml ,
web.xml look fine to me, I suspect the weblogic.xml configuration may be an issue
If the role "boss" is created under service "java" (or whatever is your service instance name ) then you should try following in the weblogic.xml